Downloading Files from Behind the Firewall(and Educating Your Users How To Do It)

So you've raised your firewall high and wide in order to keep nasties
away from your users. You walk proud and smile to yourself thinking that
you are doing a great job protecting your users. But suddenly your users
are not happy. Why? They complain that many download links they used to
transfer software or documents, especially via FTP, don't work anymore.
Something's wrong with the network. Could you fix it? Pronto!

What's wrong? Why some of the downloads are working while others are
not? Well, it is true that the problem lies in the firewall configuration
that prevents the FTP server from establishing a connection to the client
machine, and you could fix it in about 15 minutes by installing FTP proxy.
But that adds yet another piece of software to configure and watch for
bugs and updates. You may not want to do it thinking (quite rightly) that
adding yet another link to the overall security chain adds to its
complexity, which is turn lowers the level of protection of your network.
Also, the proxy will not solve all problems with tricky downloads, and
your users will still be blaming you even though it's not your fault.

Instead of messing with your firewall configuration, try a different
approach. Educate users how to download files using better tools than web
browsers. You could organize tutorial sessions for them, but if you are
short of time, you can just as well create a support page that explains
this in detail. You do have an internal web server for publishing
announcements and other internal publications, don't you? This article
should be enough to get you going. If you are really too busy to write
such tutorials yourself, you can always link to this article.

Command-line Utilities

If your users are not afraid of the command line, you could teach them
how to download files using ftp, wget, or
curl. All of these tools are either installed with the
system or available at no charge. But, most importantly, all of these
tools are far more powerful than any GUI application.

My own experience shows that by far the easiest command-line
application that downloads files which are impossible to download using a
web browser is curl. The reason for this is quite simple; in
its default configuration, curl works in passive mode which
does not conflict with firewalls. Therefore, if you want to have peace of
mind, and not keep on answering user's questions, show them how to use
this tool. And teaching someone to use it is very easy. All a user needs
to do is open the terminal window, type curl -LO, paste the
URL to the file (copied by right-clicking or Ctrl-clicking and choosing
"Copy Link to Clipboard"), and hit Return.

Mac OS X users are the administrator's dream in that respect, because
the system comes with curl pre-installed. All they need to do
is start the Terminal application (Macintosh
HD:Applications:Utilities), type curl and paste
the link to the file they want to retrieve, like this:

[localhost:~] mox% curl -LO
ftp://ftp.foo.bar/pub/macosx/p01.hqx

The -L option tells curl to follow links when
the original link does not point directly to the file and the
-O option instructs curl to save the downloaded
file under the same name it has on the remote server.

Users of Linux or *BSD systems can install cURL using an appropriate
package manager, and users of Microsoft Windows can get cURL binaries from
the project's home
page.

Another favorite is wget, whose main application is
mirroring web sites. It can be just as well used to download single
files. Using wget is similar to using curl: type
wget, paste the link to the file, and hit Return:

$ wget http://www.foo.bar/files/macosx/p01.hqx

Care must be taken when downloading files from ftp servers. In such
cases, your users must add the --passive-ftp option, as
in:

$ wget --passive-ftp ftp://ftp.foo.bar/pub/macosx/p01.hqx

The wget utility is available for all operating systems,
and users of Linux or *BSD systems can install it using an appropriate
package manager. Users of Microsoft Windows can get wget
binaries from this
page.

If your users like the standard ftp command, you only need to tell them to
use the passive command:

GUI Options

If you're blessed (or cursed?) with managing users who do not want to
learn command-line tools, you can always let them install a download
manager and an FTP utility. Make sure you point them to one of each from
your intranet support page. (If you give users more choice, you will be
busy supporting several programs: you do not want that.) Create a simple
tutorial page that teaches them how to configure such software -- use
screenshots -- and how to set FTP into passive mode. I recommend that you
tell people to install a good FTP client alongside a download manager,
because FTP clients are more flexible. For example, users can browse local
and remotes filesystem, and can upload files, which is not possible with
download managers.

Don't forget about licensing. If your budget is low, try freeware
solutions, otherwise check if there are shareware solutions available
whose authors offers reasonable site licenses (always less expensive than
multiple single-user licenses).

You can learn more about FTP and why your firewall interferes with it
from TCP/IP Illustrated, Volume 1: The Protocols by W. Richard
Stevens and from RFC
959.